Set a default host for a Splunk server

An event's host value is the IP address, host name, or fully qualified domain name of the physical device on the network from which the event originates. Because Splunk assigns a host value at index time for every event it indexes, host value searches enable you to easily find data originating from a specific device.

Default host assignment

If you have not specified other host rules for a source (using the information in subsequent topics in this chapter), the default host value for an event is the hostname or IP address of the server running the Splunk instance (forwarder or indexer) consuming the event data. When the event originates on the server on which the Splunk instance is running, that host assignment is correct and there's no need to change anything. However, if all your data is being forwarded from a different host or if you're bulk-loading archive data, you might want to change the default host value for that data.

To set the default value of the host field, you can use Manager or edit inputs.conf.

Set the default host value using Manager

Use Manager to set the default host value for a server:

1. In Splunk Web, click on the Manager link in the upper right-hand corner of the screen.

2. In Manager, click System settings under System.

3. On the System settings page, click General settings.

4. On the General settings page, scroll down to the Index settings section and change the Default host name.

5. Save your changes.

This sets the default value of the host field for all events coming into that Splunk instance. You can override the value for invidividual sources or events, as described later in this chapter.

Set the default host value using inputs.conf

The default host assignment is set in inputs.conf during Splunk installation. You can modify the host value by editing that file in $SPLUNK_HOME/etc/system/local/ or in your own custom application directory in $SPLUNK_HOME/etc/apps/.

Splunk places the host assignment in the [default] stanza.

This is the format of the default host assignment in inputs.conf:

[default]
host = <string>

Set <string> to your chosen default host value. <string> defaults to the IP address or domain name of the host where the data originated.

Warning: Do not put quotes around the <string> value: host=foo, not host="foo".

Restart Splunk to enable any changes you make to inputs.conf.

Override the default host value for data received from a specific input

If you are running Splunk on a central log archive, or you are working with files forwarded from other hosts in your environment, you might need to override the default host assignment for events coming from particular inputs.

There are two methods for assigning a host value to data received through a particular input. You can define a static host value for all data coming through a specific input, or you can have Splunk dynamically assign a host value to a portion of the path or filename of the source. The latter method can be helpful when you have a directory structure that segregates each host's log archive in a different subdirectory.

Override the default host value using event data

Some situations require you to assign host values by examining the event data. For example, If you have a central log host sending events to Splunk, you might have several host servers feeding data to that main log server. To ensure that each event has the host value of its originating server, you need to use the event's data to determine the host value.

Enter your email address, and someone from the documentation team will respond to you:

Send me a copy of this feedback

Please provide your comments here. Ask a question or make a suggestion.

Feedback submitted, thanks!

You must be logged into splunk.com in order to post comments.
Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic.
If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk,
consider posting a question to Splunkbase Answers.

0
out of 1000 Characters

Your Comment Has Been Posted Above

We use our own and third-party cookies to provide you with a great online experience. We also use these cookies to improve our products and services, support our marketing campaigns, and advertise to you on our website and other websites. Some cookies may continue to collect information after you have left our website.
Learn more (including how to update your settings) here »